Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Future of Government Data Centers
- The Future of IT: How CIOs Can Enable the Service-Oriented Enterprise
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
- Air Traffic Management Transformation Report
- Cloud First Report
- General Dynamics IT Enterprise Center
- Gov Cloud Minute
- Government in Technology Series
- Homeland Security Cybersecurity Market Report
- National Cybersecurity Awareness Month
- Technology Insights
- The Cyber Security Report
- The Next Generation Cyber Security Experts
Shows & Panels
VA improves FOIA process after data breach
Monday - 1/30/2012, 5:48am EST
VA is taking these steps after it gave Ancestry.com the Social Security numbers and the date of births of more than 2,200 living veterans initially presumed deceased.
A daughter of a living veteran found her father's personal information on Ancestry.com and alerted VA of the data breach.
"We went back and scrubbed through 14.7 million records and found 2,257 individuals who were marked in that report as deceased that we have since determined were not," said Roger Baker, VA's assistant secretary for information and technology and chief information officer during a conference call with reporters Wednesday on VA's monthly data breach report to Congress. "Because their information was released to Ancestry.com and posted on the website, they will get credit monitoring notification letters."
Baker said the likelihood of any of that information being looked at was small because the way the site works. He said someone would have to look up a specific person to have found their personal data.
VA's investigation into the data breach found a hole in their FOIA process.
Baker said one office at VA didn't communicate with the FOIA office about the problems in the database.
"We have put in some fairly extensive firewalls to make sure this doesn't happen again," he said. "We have put in place as part of our internal notification, our daily notification, on issues, that any significant FOIA disclosures would be included in that notification to make sure it gets out fairly broadly and everybody has a chance to raise a hand if they believe there is a reason not to do that."
Baker said VA knows Ancestry.com was the only FOIA requestor to have received this dataset.
"We have not seen this issue with any other FOIA response that we have provided from any of our databases that I'm aware of," he said.
The data breach also happened because VA has different rules for releasing information about deceased veterans than they do for living ones.
"On those who are deceased, we have a requirement to release certain information that we would be prohibited from releasing on those who are still living," he said. "Unfortunately, because of the way we receive the data, occasionally we receive erroneous reports of death, which in the normal course of business we end up working back through and remarking the individual as not deceased."
VA wants to make sure every veteran gets notified and understand their offer for credit monitoring services.
While this is not a huge data breach compared to what happened to VA in 2006 when it lost the data of more than 26 million veterans, Baker still termed it significant.
"We believe we handled it appropriately," he said. "Our IG or the GAO or other folks may decide to do some investigation on what caused this to happen and have we adequately dealt with how to make certain it doesn't happen again. I think that's something would be probable given this. It's an unfortunate incident, but it's also why we have some of the processes and procedures that we've got because we know we will have to deal with these things given how much information we deal with."